In general I think every developer should receive secure coding training. Most developers don't...
(generally - theres a lot of coding specifics involved) Authorize.net via their API absolutely requires PCI compliance and an SSL certificate on your site. Stripe recommends an SSL certificate with their basic JS code. And unless your sending a user directly to Paypal's website to login via Paypal, if you use their API, you should have an SSL certificate and be PCI compliant.
IE: if the CC info is entered on a page you built, on your server, yes - SSL and PCI. If your sending the user to another site (ie: Paypal or using Stripes JS code) - no, it's on them.
Most programmers should at least read the parts of OWASP that pertain to their language (https://www.owasp.org). If it gets entered into a form and stored in some sort of DB, you should at least code with basic precautions.
That's not true. If you enable payment by credit card at all, you're subject to PCI. Even a SAQ A[1] category merchant (payment page entirely hosted and managed by a PCI-compliant, third-party payment processor) are required to formally confirm that their processor is currently PCI compliance, have written rules of engagement with the processor and obey the PCI data handling and retention requirements. And if you embed your payment page in your own page (technically, if any part of the payment page is served from your site and not the processors site) then you're a SAQ-AP merchant[2], and you'll be expected to conform to a lot more of the standard.
[1] https://www.pcisecuritystandards.org/documents/Understanding... [2] https://www.clerkendweller.uk/2014/3/7/PCIDSS-SAQ-AEP-and-SA...
That said, we'd all live in a better world of every web developer knew the OWASP recommendations inside and out. I can dream.
